解决vs_installershell.exe has an invalid certificate问题

问题描述:打开Visual Studio Installer出现了错误:vs_installershell.exe has an invalid certificate,程序终止,无法启动visual studio installer.

问题分析:检查vs_installer.exe的数字签名,发现SHA1签署的签名无效。点击证书详情,发现是Microsoft Root Certificate Authority被吊销,导致数字签名验证失败,所以无法启动VS Installer。但在证书管理器里检查这个证书没有问题。

Work around:手动启动vs_installershell.exe(注意要以管理员模式启动),仍然能打开VS Installer并执行VS更新。

解决方法:

  1. 导出Microsoft Root Certificate Authority这个根证书到文件备份。
  2. 在组策略中取消证书自动更新。gpedit.msc -> 计算机配置 -> 管理模板 -> 系统 -> Internet通信管理 -> Internet通信设置 -> 关闭自动根证书更新 -> 已启用
  3. 在证书管理器中删除Microsoft Root Certificate Authority这个根证书,注意计算机账户和用户账户里的证书都要删掉。(方法是运行mmc.exe然后选择添加管理单元,选择证书后再选择本地计算机账户)
  4. 导入刚才备份的根证书到系统中。
  5. 在文件属性中查看vs_installershell.exe的数字签名,此时应该签名正常。
  6. 打开组策略中的证书自动更新。(参考第2步,最后选择已停用或未配置即可)

原因:出现问题之前自己手动删除了系统里所有的根证书。猜想是这个原因导致系统的证书验证出现异常。而Microsoft Root Certificate Authority这个证书是Windows系统需要的,如果出现问题会导致系统组件工作不正常。所以通过停用自动更新的方式,手动刷新了这个根证书的状态,系统恢复正常。


English Version:

Error description: An error occurred while opening Visual Studio Installer: “vs_installershell.exe has an invalid certificate”. The program terminates afterwards.

Problem analysis: Manually check the digital signature via Properties window, the SHA1 signature is invalid. By clicking “View certificate”, it says that the “Microsoft Root Certificate Authority” CA certificate is revoked, the signature is invalid. The VS installer cannot be started because the digital signature validation failed.

Work around: Manually start vs_installershell.exe from File Explorer. By default it’s located in C:\Program Files(x86)\Microsoft Visual Studio\Installer\. Note that you should run as administrator.

Solution:

  1. Export the CA certificate “Microsoft Root Certificate Authority” to file.
  2. Disable Automatic Root Certificate Update in Group policy. Run gpedit.msc -> Computer config -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> Turn off Automatic Root Certificates Update -> Enabled.
  3. Open local computer certificate manager. (Steps here) Delete the “Microsoft Root Certificate Authority” CA certificate from trusted root certification authorities.
  4. Import the certificate from file (just exported in step 1).
  5. Check the digital signature of vs_installershell.exe from File Properties again. Now the signature should be valid.
  6. Turn on Automatic Root Certificates Update. (Refer to the operation in step 2)

Root cause: Before the error occurs, I just deleted all the certificate from system. But “Microsoft Root Certificate Authority” is required for Windows. If deleted, the system might encounter unknown issue. Turn off and turn on the Automatic Certificate Update and re-import the certificate would reset internal system state, which solve the problem.

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注